Top-level executives must be made to understand the risk they pose to their own firms owing to the nature of their position, and should drive cyber security awareness across the business, according to Darren Argyle, CISO at market research firm IHS Markit.
Argyle said at the Investment Week Cyber Security Strategy Briefing 2016 event, in partnership with V3 sister title Computing, that efforts to increase cyber awareness will not have an impact without buy-in from the board.
“You have to have support from the top. Security will not work in any company if you don’t have that,” he said.
Argyle explained that those responsible for security in a company should do this by making it clear just how big an impact a cyber attack could have.
One way to do this is to bring some reality to the threats by making executives aware of the extent to which their social profiles may be studied and used against them as part of a hack on the business.
“[Hackers] will often spend months trying to understand the hobbies and lifestyles of executives and then tailor an email to get them to open an attachment or click on a link,” he said.
“You can spend millions on security but it’s wasted if you can be hacked by an email. You need to build a risk-aware culture and if you make executives realise the risks they face you’re more likely to get them engaged in a cyber security programme.”
Argyle added, however, that there are also positive ways to hammer home the cyber security message, rather than just focusing on the dangers.
“If you’re submitting a sustainability report and you want a high score you need a cyber security awareness programme. Similarly, if you have cyber insurance, the insurers want to know that people are trained. If they’re not, your premiums will go up,” he said.
“Customers too are increasingly putting questions to firms about their cyber security and it’s much easier to deal with that if you have a clear, well-defined strategy and staff training in place.”
Once top-level executives get on board with the need for cyber security training it is vital that they remain involved.
Ideally the CEO should take the lead, which is what Markit did in a video sent to all staff featuring the CEO explaining why cyber security is so important to the business as a whole.
“You need to get the top people involved to make the message stick. Staff are more likely to listen to this than anyone else, such as the CISO,” he said.
Once an awareness programme is up and running Argyle advised companies to recruit ‘cyber security ambassadors’ to monitor progress.
“It’s all about building a human firewall as much as technology one,” he said.
Samsung very much in third place behind Android Pay and Apple Pay
Moribund Twitter ads nil, nada, zero users, while revenues fall five per cent to $574m
Wisconsin claims deal could result in 13,000 jobs and $10bn of investment from Foxconn by 2020
Streaming music is the future, whether you like it or not